Home Besucher Community Aussteller Presse LinuxTag e.V. Impressum 

Aktuelles LPI-Prüfungen Helfer Projekte Workshops Hacking Keysigning FAQ 

Kontakte

Keysigning Party Organisation
Alexander Wirt
formorer@debian.org

Projektkomitee:
LinuxTag e. V.
projects@linuxtag.org

Keysigning Party

Kultiges Zusammensitzen und gemeinsames Murmeln magischer Zahlen.
Gert Döring, FdI 95

At the LinuxTag 2006 in Wiesbaden there will be an OpenPGP (pgp/gpg) keysigning party.
The party will be on Friday, May 5th, at 14:00.

What is/Why keysigning?

Please read section One of the GnuPG Keysigning Party HOWTO
(note: we are doing the party slightly different, so the other chapters
do not 100% apply).

How

The party will be conducted using Len Sassaman's Efficient Group Key Signing Method:

• If you intent to participate please send a mail with nothing but your KeyID (or KeyIDs) in the body to formorer+kslt2k6@formorer.de by Sunday, April 30th, 2006.
  Subject does not matter. If you have more than one key put each KeyID into a line of its own. Make sure your key can be found on hkp://subkeys.pgp.net/.
  If your key is not listed at http://ned.snow-crash.org:8080/svn/ksp-lt2k6/ within three or four days, please contact me personally.
• By Monday, May 1st, you will be able to fetch both the complete keyring with all the keys that were submitted along with a text file (ksp-lt2k6.txt) giving the fingerprint of each key on the ring.
• At home, verify that the fingerprint of your key in ksp-lt2k6.txt is correct. Also compute the MD5 hash of ksp-lt2k6.txt. One way to do this is with md5sum invoked as follows:

  % md5sum ksp-lt2k6.txt

  or

  % gpg --print-md md5 ksp-lt2k6.txt

  We will also read the SHA1 hash, so you should calculate that too (sha1sum or gpg --print-md sha1).
• At LinuxTag, come with the hash you computed and a hardcopy of ksp-lt2k6.txt.
• A reader at the front of the room will recite the MD5 hash of ksp-lt2k6.txt. Verify that the hash recited matches what you computed. This guarantees that all participants are working from the same list of keys.
• In turn, each participant will stand and acknowledge that the fingerprint of his or her key listed is correct. Mark the key verified on your hardcopy. Since we already ensured that everybody has the same copy a simple statement like "yes, this information is correct" is sufficient.
• The next step is to verify each participant's identity by checking her passport or similar form of ID.
• Later that evening, or perhaps when you get home, you can sign the keys which you were able to verify hardcopy. After you signed a key send it to its owner together with your signature.

Downloads:

(most of them are not available yet. But they should be available on Monday the 1st May)

• ksp-lt2k6.txt - List of participants
• ksp-lt2k6.asc - participating keys
• ksp-lt2k6-full.asc - participating keys with all the signatures they already have
  
• ksp-lt2k6-full.asc - participating keys with all the signatures they already have, bzip2 compressed
  

Summary: What to bring with you

• A printout of ksp-lt2k6.txt check that your fingerprint is correct.
• The MD5 Hash you made of ksp-lt2k6.txt so that we can ensure we are all working with the same copy.
• Some form of government issued ID (passport or similar).
  

If you have questions please ask Alexander Wirt .

Relevant Information and Sources for More Information 

Keyservers

The only keyserver rotation you should use is subkeys.pgp.net or random.sks.keyserver.penguin.de if you insist. Any of the servers in this rotations is fine.
Please, please, pretty please with a cherry on top, do not use other rotations, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways, including but not limited to dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or don't sync with the rest of the network.

Please use subkeys.pgp.net.

caff

CA Fire and Forget is a script that helps you in keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so
that you can sign it. It then mails each key to all its email addresses - only including the one UID that we send to in each mail, pruned from all but self
sigs and sigs done by you.

Download it: caff
Homepage: http://pgp-tools.alioth.debian.org/

If you have Debian you could also install the signing-party package
FreeBSD users can install the signing-party port
For NetBSD users caff has its own port

Depends: gnupg (>= 1.3.92), perl, libgnupg-interface-perl, libmime-perl, libmailtools-perl (>= 1.62)

gpgsigs

Uli Martens wrote a small perl script that, given a key ID and ksp-lt2k6.txt tells you which keys (UIDs) you already signed by annotating the UID with (S).

153  [ ] Fingerprint OK        [ ] ID OK
(S)  pub  1024D/52698E9F 2001-11-07 Uli Martens <uli@youam.net>
     Key fingerprint = A48F 8894 37A0 FDE9 60D5  212A 2A58 CEAA 5269 8E9F
(S)  uid     Uli Martens <isax@gmx.de>

( )  uid     Uli Martens <u.martens@youam.com>
(S)  uid     Uli Martens <u.martens@scientific.de>

Download it: gpgsigs.

It requires perl, gnupg (>=1.2.x) and either Locale::Recode (in Debian Package libintl-perl, in testing and unstable) or recode (Debian Package recode).  

A word on GnuPG versions

GnuPG 1.0.*, as shipped with Debian Woody has serious problems.Please consider upgrading to 1.2.*. It's a lot faster too, which you will appreciate I guess.Debian Sarge ships 1.4.1, which is needed for some of the utilities above.

There is a newer GnuPG package at backports.org.

About this site

They layout and most of its content has been stolen with his permission from Peter Palfrader who also organised the last Linuxtag signing partys.